NVD - CVE-2026-33368 (original) (raw)
Description
Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | CISA-ADP |
Known Affected Software Configurations Switch to CPE 2.2
Change History
3 change records found show changes
Initial Analysis by NIST 4/01/2026 11:37:25 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CPE Configuration | OR *cpe:2.3:a:synacor:zimbra_collaboration_suite:*:*:*:*:*:*:*:* versions from (including) 10.0.0 up to (excluding) 10.1.16 | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Security\_Center Types: Release Notes, Vendor Advisory | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Releases/10.1.16#Security\_Fixes Types: Release Notes | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy Types: Product | |
| Added | Reference Type | MITRE: https://wiki.zimbra.com/wiki/Zimbra\_Security\_Advisories Types: Vendor Advisory |
CVE Modified by CISA-ADP 3/23/2026 10:16:33 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | |
| Added | CWE | CWE-79 |
New CVE Received from MITRE 3/20/2026 10:16:15 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 contains a reflected cross-site scripting (XSS) vulnerability in the Classic Webmail REST interface (/h/rest). The application fails to properly sanitize user-supplied input, allowing an unauthenticated attacker to inject malicious JavaScript into a crafted URL. When a victim user accesses the link, the injected script executes in the context of the Zimbra webmail application, which could allow the attacker to perform actions on behalf of the victim. | |
| Added | Reference | https://wiki.zimbra.com/wiki/Security\_Center | |
| Added | Reference | https://wiki.zimbra.com/wiki/Zimbra\_Releases/10.1.16#Security\_Fixes | |
| Added | Reference | https://wiki.zimbra.com/wiki/Zimbra\_Responsible\_Disclosure\_Policy | |
| Added | Reference | https://wiki.zimbra.com/wiki/Zimbra\_Security\_Advisories |